X-Ray for Android

Featured In

Download

There are two ways of downloading X-Ray:

On your phone or tablet, visit:

xray.io/dl

Scan this barcode:

Note: X-Ray is installed directly (via an APK) instead of through the Google Play store. Make sure your settings allow for the installation of non-market apps before installing X-Ray. You can enable this setting under Settings → Applications/Security → Unknown sources.

News

2016/07/29 - X-Ray 2.1

X-Ray now has auto-updater functionality! We know it's hard to update sideloaded apps, and since we're checking for vulnerabilities Google doesn't offer us any other choice.

So, we made the choice to add an updater. X-Ray users will see an alert prompting them to download new versions when they're available. Sweet! For full details, see our blog post.

2016/01/19 - X-Ray 2.0

We've released a complete rewrite of X-Ray. This brings support for checking the latest vulnerabilities. There's too much to cover here, so check out our blog post and see what's new.

Frequently Asked Questions

What is X-Ray?

X-Ray was developed by the security experts at Duo Security. We hope that X-Ray will empower users with knowledge of vulnerabilities on their devices and allow them to take action to improve their security. We encourage users to contact their carriers and ask for their devices to be patched.

Think your Android device is secure? X-Ray helps prove it to you.

What does X-Ray do?

X-Ray scans your Android device to determine whether there are vulnerabilities that remain unpatched by your carrier. The X-Ray app presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device.

X-Ray has detailed knowledge about a class of vulnerabilities known as “privilege escalation” vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old.

Why are there unpatched vulnerabilities on my device?

First, the software underlying a modern mobile device is controlled by many parties. Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third-parties, not to mention all the open source components (Linux kernel, WebKit, libraries) owned by various project maintainers. When a vulnerability is discovered, coordinating with the responsible parties isn't a trivial task. You'd probably lose if you tried to play Six Degrees of Separation with the developer who introduced the vulnerability, and the party who's responsible for patching it.

Second, carriers can be slow and conservative to supply patches to their users. There is certainly a risk in supplying an update to millions of users, but that doesn't make it acceptable to continue to leave these users exposed to public vulnerabilities for months (or years). The current incentives are flawed: there's little motivation for carriers to put the effort into developing, testing, and deploying a patched version when the latest Android version is sitting on a new device ready for consumers to purchase.

Why are these unpatched vulnerabilities dangerous?

If there are vulnerabilities present on your device that are not patched, a malicious application may exploit the vulnerabilities to gain full, unrestricted control over your Android device. While the apps you install from the Google Play store are normally restricted by the permissions you grant them and constrained by the Android sandbox, these vulnerabilities allow a malicious application to escalate privileges to a root/superuser privilege and perform any action they desire without you knowing.

What can I do if my device is vulnerable?

If X-Ray determines that your device is vulnerable, there are a few potential actions you can take to increase the security of your device:

You can check for available official updates from your carrier, usually by going to Settings → About phone → System Updates on your Android device.

While it might not result in an immediate remediation, we encourage you to contact your carrier about the availability of an update to fix the vulnerabilities that X-Ray detected.

If no official carrier updates are available, you may be able install a third-party ROM (eg. CyanogenMod) that may have patched the vulnerabilities. It's worth noting that some third-party ROMs may introduce vulnerabilities of their own, so you should explore this option with caution.

If you're able to update your device, you can run X-Ray again to verify that the vulnerabilities have been sufficiently patched.

Even if you're unable to update your device, X-Ray allows you to better understand the risks associated with your mobile device. If you know that any malicious app you download can take full control of your device using publicly available exploits, you should exercise even more caution when downloading and installing third-party apps.

Is it safe to run X-Ray?

Absolutely. Running X-Ray device will have no adverse effects on the security, stability, or performance of your device. X-Ray is installed and run just like any mobile application and requires no special privileges to operate. X-Ray is able to safely probe for the presence of a vulnerability without ever exploiting it.

How does X-Ray differ from mobile antivirus software?

X-Ray takes a fundamentally different approach to mobile security.

Mobile antivirus software attempts to discover malicious applications installed on your device. Unsurprisingly, mobile antivirus is quite ineffective in protecting against new attacks since the number of malicious apps that will be created is unbounded. Updating your antivirus signatures every day to address new threats is not a sustainable approach to security.

Instead of trying to detect all the possible malicious apps in the universe, X-Ray takes a different approach and seeks out the known vulnerabilities in the underlying mobile platform itself. X-Ray doesn't care whether the apps on your device are good or bad, it only cares whether there are vulnerabilities present that bad apps often exploit to gain full control of your device.

What information does X-Ray collect from my device?

X-Ray collects information about your device, but not about you.

The collected information serves two purposes:

to determine whether your device is vulnerable, and

to collect statistics on just how many Android devices out there are vulnerable

This information is useful to apply pressure on carriers to actually fix the underlying problem, so your participation may end up improving the security of all Android users.

Specifically, X-Ray collects the version of your OS (eg. “2.3.6”), the make/model of your device (eg. “Samsung Nexus S”), your carrier's name (eg. “T-Mobile”), a randomly-generated device ID (eg. “9a17e3fedcde4695”), and potentially vulnerable software components (eg. “/system/bin/vold”). The information collected will not be shared with any third-parties except in aggregate form (eg. a graph showing the total number of vulnerable devices).

Why is X-Ray not distributed through Google Play Store?

We definitely understand that users prefer to install apps from the Play Store, especially when they're security-related apps. Unfortunately, Google informed us that the terms of service of the Play Store disallow applications such as X-Ray that check for Android vulnerabilities.

Are these vulnerabilities unique to the Android platform?

Yes and no. All mobile platforms face vulnerabilities. Software has bugs, and many bugs can exploited by malicious parties in an attempt to take control of your device.

However, the impact of such vulnerabilities may be greater on the Android platform due to the lack of expedient patching by the carriers. Mobile platforms such as iOS may fare better at distributing patches for vulnerabilities more quickly since the updates come directly from Apple as opposed to the decentralized Android carriers.

Is X-Ray available for enterprise use?

Yes, the underlying technology that powers X-Ray can be deployed on an enterprise-wide level, giving you global visibility into vulnerabilities affecting your employees' mobile devices. Please contact xray@duo.com for more information.

Vulnerabilities

X-Ray is automatically updated with the ability to scan for new vulnerabilities as they are discovered and disclosed. The app currently checks for the following vulnerabilities on your Android device:

CVE-2011-1149

This vulnerability is what is known as a privilege escalation which gives a malicious application or individual the ability to obtain complete access to a vulnerable device. First identified in Android version 2.3 and below, the problem lies in the fact that access to the system property space is not properly controlled.

CVE-2013-4787

Also known as the “Master Key” vulnerability, this issue allows an attacker the ability to hide a malicious application inside of a legitimate one tricking the user in to accidentally installing it and compromising the device’s security.

CVE-2013-6282

This vulnerability is known as a privilege escalation vulnerability which gives a malicious application or an attacker the ability to obtain complete access to a vulnerable device.

CVE-2014-3153

Also known as the “towelroot bug” this vulnerability allows a malicious application or individual the ability to obtain complete access to a vulnerable device. The vulnerability, which also affects some Linux versions, was identified in the Android kernel.

CVE-2014-4943

This vulnerability is what is known as a privilege escalation which gives a malicious application or individual the ability to obtain complete access to a vulnerable device. The specific flaw was identified in the Android kernel and is found in the implementation of PPP over L2TP sockets.

CVE-2015-1528

This vulnerability is what is known as a privilege escalation which gives a malicious application or individual the ability to obtain complete access to a vulnerable device. The specific flaw is an integer overflow vulnerability in Android libcutils.

Also known as the “Stagefright vulnerabilities” there are multiple bugs in the Android library (Stagefright) responsible for processing multi-media files that allows a malicious application or individual the ability to execute code with elevated privileges and obtain complete control over the device.

CVE-2015-3636

This vulnerability is what is known as a privilege escalation which gives a malicious application or individual the ability to obtain complete access to a vulnerable device. A use-after-free bug in /net/ipv4/ping.c affecting both Linux and Android is what makes this vulnerability possible.

CVE-2015-6608

This vulnerability is known as a memory corruption which allows an attacker or malicious application the ability to either execute arbitrary code with full system privileges or cause a denial of service condition on vulnerable devices.

CVE-2015-3825

This vulnerability is what is known as a privilege escalation which gives a malicious application or individual the ability to obtain complete access to a vulnerable device. The specific flaw is in the implementation of the OpenSSLX509Certificate class on Android devices.

CVE-2015-7888

This vulnerability is what is known as a directory traversal bug which gives an attacker or malicious application the ability to write files on vulnerable devices with privileged (system) access. This vulnerability may be leveraged with other issues in order to gain complete control of a vulnerable device.

CVE-2015-1474

This vulnerability is known as a heap corruption vulnerability which allows an attacker or malicious application the ability to gain privileged access to the device. In some cases this vulnerability may also be used to cause a denial of service condition on vulnerable devices.